Results of the First Saturn IB Launch Vehicle Test Flight AS-201
A Real Time Operating System for the Saturn V Launch ... · A REAL TIME OPERATING SYSTEM FOR THE...
Transcript of A Real Time Operating System for the Saturn V Launch ... · A REAL TIME OPERATING SYSTEM FOR THE...
A Real Time Operating System
for the Saturn V Launch Computer Complex
A REAL TINE: OPEMTTNG 4YGTEM FQR THE SATURN V ;LAUNCH COMPUTER CQMPhEX
Frank R. Palm
July 1966
INTERNATIONAL BUSINESS RSACHTNE8 SORPOWTTON F o ~ t Office Box 1230, $30 Sparkman Drive
Hunt6vilXe, Alabama 358CD7
The first Saturn V hunch will, mark a significant mila~tone in the
United States effort to plizqe map on the ~ Q Q O ~ , TO e;nsure a nafa mission,
extensive prelaynch vglzicle cheqkout of v ~ r i o u s v@hlclsf sy6temls i s r e r
quired, Qn moat previous misrsila systsma, qheehut was a~g~rnp l i sbsd
mqnually with the vehlcJe the pad many warzths prior t~ launch. As
vehiule sy~terns beeame more complex, automatian was neoeasary to
ensure safe, acourate, and effiolent vehiole ohack~gt. Qn the uprated
Saturn I, the Sa9turp IB, somg au'e~matic chsckout has b@@ln a ~ ~ o m p l b h ~ d ,
and will he further errtendgd sn the 8aturs 'V.
Personnel involved with sheckovt qfhn hava many ysars of @mepi-
ence ip checking out missile sygtiems; tlzel;e%re, Weir f~rxnulated ideas
in regard to aceornpliqhing chaskout - espssially in the aarly stags6 - leaves little rQam fa r reliance an e caznputsr syatem. Conqequently,
aut~rnatiop is done in steps, Tn eaob st@p the teat bmgine8r i s a l l ~ w ~ d
A REAL TIME OPERATING SYSTEM FOR THE SATURN V LAUNCH COMPUTER COMPLEX: PALM-2
absolute control at any time over the system. The checkout system has
the capability to analyze and react to various vehicle conditions and also
allows the operator to override these decision.
To perform Saturn Vehiule automatic checkout, the National Aero-
nautics and Space Administration selected a three-cqmputer complex con-
sisting of two RCA llOA Computers and a DDP 224 Computer. The three
computers in the system are connected in series by data links. The
master computer - an RCA llOA - located in the Launch Control Center,
is referred to a s the Launch Control Center Computer (LCCC). This com-
puter is connected to the other RCA llOA, located on the Mobile Launcher,
and is referred to a s the Mobile Launcher Computer (MLC). The master
computer is also connected to a DDP 224, the Display Control Computer
(DC C) . The DCC is utilized to operate the display system which consists
of 15 display consoles - each of which has a refresh memory. The engi-
neer, by viewing these display consoles and other equipment panels, is
kept informed of vehicle status. From these consoles and panels, the
engineer can control the checkout.
The LCCC schedules and executes vehicle test programs and moni-
tors system parameters.
A REAL TWIE OPERATING SYSTEM FOR THE SATURN V LAUNCH COMPUTER COMPLEX: PALM-3
The Mobile Launcher Computer handles direct communication
with the vehicle.
In order to utilize this computer system, IBM has written a versa-
tile operating system to handle the communication and overall system
supervision, allowing fast and efficient vehicle checkout with the test
engineer having complete authority.
The operating system has three main functions:
(1) Handle the intercommunication between the test engineer and
the vehicle. This involves commands transferred from the
test engineer through two or three computers to the vehicle
and the reverse path.
(2) Monitor vehicle data. System parameters a re checked
against limits, and out-of-tolerance conditions a r e reported
to the test engineer.
(3) Provide capability to execute vehicle test programs a s speci-
fied from a display console.
The operating system description and some of the computer char-
acteristics a r e a s follows. The main checkout computers, the RCA llOts,
have a 32,768 -word memory and the following input/output devices : a
A REAL TIME OPERATING SYST33M FOR THE SATURN V LAUNCH COMPUTER COMPLEX: PALM-4
32,768-word drum, 5 magnetic tape drives, a card reader, card punch,
line printer, data link, a Digital Data Acquisition System, and discrete
input/output channels. The Digital Data Acquisition System reads vehicle
system parameters into the memory of either of the checkout computers.
The discrete input/output equipment is used by the LCCC to read switch
position status and to issue the outputs which turn Off/On lights. The
discrete I/O equipment in the MLC sends signals to the vehicle and
receives discrete signals from the vehicle. The computers also have a
priority interrupt feature with four levels of interrupt. Each RCA llOA
has three interval timers which are available to the programmer. A
binary number, placed into one of the counters, is counted down at a one
millisecond rate. On a zero count the timer causes an interrupt on the
assigned priority level. These timers a re used to time vehicle reactions
and to eliminate any program hang-up caused by an unexpected hardware
condition.
Here is a list of the major operating systems components.
The Interrupt Processor - This is one of the most important
programs in the Operating System. It controls the various interrupting
A REAL TIME OPERATING SYSTEM FOR THE SATURN V LAUNCH COMPUTER COMPLEX: PALM-5
conditions, receiving control a s soon as an interrupt occurs. It deter-
mines what has caused the interrupt and which program will handle it.
It also performs some routine bookkeeping consisting of saving and
restoring some program registers. Because there is a certain amount
of inflexibility in the assignment of interrupts, this program makes pos -
sible a pseudo level of processing. Often an interrupt occurs and some
portion of the processing is done on the interrupting level; however, if
the processing is lengthy, the user program requests of the interrupt
processor to be put on the pseudo level. The interrupt processor then
services all pending lower-level interrupts and returns control to the
requesting program on level zero. The originally interrupted program
has not been restarted and will not be until the pseudo level is accom-
plished. Because the system is running on level zero and other interrupt-
ing condition may occur, the interrupt processor takes care of recursive
reentry problems which might occur while this pseudo level is executing
by allowing only one such function to be in execution a t a given time. If
A REAL TIME OPERATING SYSTEM FOR THE SATURN V LAUNCH COMPUTER COMPLEX: PALM-6
a second function is requested, the interrupt processor sets a flag which
is interrogated at the conclusion of the first function on the pseudo level.
Test Program Control - Since one of the primary functions
of the checkout system is to perform vehicle and subsystem tests, the
operating system contains a Test Program Control routine. This pro-
gram is the primary interface with the test engineer at the display con-
sole. It analyzes his key-word input to determine test legality and if his
console identification number is allowed to execute that test. Test pro-
grams are run one a t a time; however, the test program control provides
test engineers the capability to request execution of more than one pro-
gram. These are scheduled on a first-come, first-served basis. One
display console, containing a master identification to the program, can
control all test program execution. It may: a) cancel any program from
the stack, b) terminate any program, and c) request immediate execution
of any other program. Individual consoles can also cancel or terminate
those requests which have been executed from that console.
~nput/Output Control System - The ~nput/Output Control Sys-
tem program services the tapes, drum, printer, card reader, and card
punch. It performs the normal function of reading and writing of these
A REAL TIME OPERATING SYSTEM FOR THE SATURN V LAUNCH COMPUTER COMPLEX: PALM-7
devices doing the normal error checking. This program allows the
input/output processing to be done in parallel with the computing. Since
an input/output device failure can delay the system, this program is de-
signed to enable the system operation to continue if a particular device
fails. For example, if a request is made to write information on a tape
for post-processing and the tape is inoperative, the program will switch
to a second tape without data loss. If this second tape is also inoperative,
the program will indicate to the user program that the requested opera-
tion is complete and the data will be lost. It is preferable that the entire
system stay up and control be maintained, rather than bring the system
down due to loss of ap input/output device. This philosophy allows the
test engineer or test conductor to determine when the system must be
brought down, but the operating system continues to execute as long a s
possible.
Digital Data Acquisition System Executive - The Digital Data
Acquisition System (DDAS) is used to access the vehicle system param-
eters. On a cyclic basis this system accesses analog and discrete indi-
cations from the vehicle. The analog parameters a re converted to digital
and stored in the DDAS memory. Words from this memory can be read
A REAL TIME OPERATING SYSTEM FOR THE SATURN V LAUNCH COMPUTER COMPLEX: PAW-8
into either of the computers. A separate executive is written to handle
the reading of this device since it has several different modes of opera-
tion which a re peculiar to the hardware. Data can be read in as a straight
memory-to-memory transfer; e . g., a program may request to read
"location X from the DDAS memory into location Yu of the RCA llOA
computer memory. In another mode, data can be read in such a way
that what is presented represents the latest available based on the DDAS
scan rate.
The Data Link Executive - The operating system contains a
data link executive which supervises the flow of information between the
LCCC and the MLC. This data link executive schedules transmissions
from one computer to the other, tests hardware for failure conditions,
and sends appropriate command words to ensure that transmissions
arrive correctly. The system consists of two data links, of which one
is a redundant path. When one of these data links becomes inoperative,
the data link executive switches to the other link and continues process-
ing without loss of information.
Monitors - The operating system provides two types of
monitor programs. One type is used solely for display information.
A REAL TIME OPERATING SYSTEM FOR THE SATURN V LAUNCH COMPUTER COMPLEX: PALM -9
The parameters monitored by this program may be predefined o r dynam-
ically defined during system operation. A test engineer a t the console
may have the monitor program read system parameters on a periodic
basis. These parameters may be checked for out-of-tolerance condi-
tions and displayed on the display console. The other type of monitor
function is an executive which allows the execution of special-purpose
subroutines on a time-oriented basis. This useful tool allows execution
of small monitor subroutines even while other tests a re being performed.
The program has a predefined polling sequence of these subroutines and a
capability to run special routines out of sequence. No subroutine is exe-
cuted until it is requqsted from a test program, from a test engineer a t a
display console, or from another subroutine. Once in execution, the
routine remains in execution until it is terminated by any one of these
functions.
Discrete Executive - One of the most important programs in
the operating system is the one that handles the communication flow from
the test engineer's Electrical Support Equipment panel to the computers
and from the computers to the vehicle. From these panels the test engi-
neer controls outputs to the vehicle, permits or inhibits test program
A REAL TIME OPERATING SYSTEM FOR THE SATURN V LAUNCH COMPUTER COMPLEX: PALM-10
control of outputs to the vehicle, and receives vehicle status as reflected
on his panel lights. In keeping with the philosophy of the test engineer
having total system control, most of the system switches a re three-
position switches. Since most of the same discretes can be issued by
both test programs and switch position changes, the three-position switch
is utilized to give the test engineer a combination of automation and
absolute manual control. The switch normally controls one output func-
tion which can be issued by a test program only when the switch is in the
center position. The operating system not only responds to the switch
position changes by issuing the proper commands to the vehicle, but also
maintains the inhibit ,status of each output to the vehicle. Whenever a
test program elects to issue a discrete, it accesses this discrete through
the discrete executive. In the executive, the inhibit status of that function
is checked and, if inhibited, no command is issued to the vehicle.
The normal sequence of events when a switch position changes is
as follows:
(1) The switch position change occurs.
(2) An interrupt occurs at the LCCC.
(3) This interrupt is interpreted by the interrupt processor and
determined to be a discrete input.
A REAL TIME OPERATING SYSTEM FOR THE SATURN V LAUNCH COMPUTER COMPLEX. PALM-11
(4) Control is transferred to the discrete executive.
(5) The discrete executive accesses a status table and a history
table so that it can determine which input has changed; it
accesses an action table where response information is
stored for each discrete input.
(6) The normal response is to transmit a message utilizing the
data link executive and the data link hardware to the MLC.
(7) When the message arrives at the M E , the discrete executive
issues the appropriate command to the vehicle. An almost
identical reverse path exists for information which comes
from the vehicle back to the test engineer's electrical support
equipment panel. The vehicle status changes which causes an
interrupt in the MLC, After processing by the interrupt pro-
cessor, the discrete executive, the data link executive, and
the discrete executive in the LCCC, the appropriate command
is issued; and a light on the panel is turned off or on.
Display Programs - International Business Machines
Corporation writes the programs in the LCCC which interfaces with the
display computer. These a re primarily the data link executive for data
A REAL TIME OPERATING SYSTEM FOR THE SATURN V LAUNCH COMPUTER COMPLEX: PALM-12
link transmissions and a display service routine which handles program
requests for display of information on the display console. It is also
possible for programs to request llDisplay Descriptions. These consist
of predefined background data and conversion information. The background
data is displayed on the display console, and the conversion information
is utilized by the display computer to scale the raw binary data as it is
sent to the display computer for display on the screen.
System - The overall system must be reliable,
and since the MLC is unmanned during launch operation, it is important
that the operating system provide not only the capability to operate when
input/output devices fail, but also that it have the ability to recover from
system malfunctions. The operating system in the MLC contains a boot-
strap loader which is kept on the operating system tape and the drum.
Both of these loaders can be accessed by a load drum or load tape switch
remotely from the Launch Control Center, allowing the system to be
reloaded if either the drum or tape is operative.
Utility Executive - The operating system also provides the
standard utility type programs that a re necessary in any computer system -
such a s loaders, dump routines, snapshot routines and memory alter routines.
A REAL TIME OPERATING SYSTEM FOR THE SATURN V LAUNCH COMPUTER COMPLEX: PALM-13
Most of the utility capability can be controlled from the display console,
and output can be to the console, to tape or to the printers. The operating
system also contains programs to read the various clock systems that
a re input to the computer.
Reliability and Safety Considerations - One frequently-asked
question is: Why are test programs executed in the remote computer
instead of a t the computer closest to the vehicle? In the uprated Saturn I,
the Saturn IB series, the test programs were executed at the computer
which was located near the launch pad. However, the LCCC can be main-
tained, if necessary, during a countdown hold. Since the MLC is not
manned, no maintenapce is possible during a countdown. The goal on the
Saturn V system is to pull all possible functions back to the LCCC . The
initial version of the operating system contains a limited amount of system
reliability and recovery capability. This capability can be increased on
future shots.
The discretes via the switches are one of the most positive means
of control which the test engineer has over the vehicle status. If the test
engineer loses the status of the discrete inputs or outputs (due to some
hardware or software condition), a discrete re-initialization is necessary.
A R W L TIME OPERATING SYSTEM FOR THE SATURN V LAUNCH COMPUTER COMPLEX: PALM-14
This may have been caused by data link hardware failure, a program bug,
o r a computer failure. If loading of the operating system is necessary,
it is accomplished first. Once the operating system is running correctly,
the test engineer has several options which he can exercise. As soon as
the operating system begins to support the vehicle, the status of the
switches and the discrete status of the vehicle a re compared. Any dif-
ferences that exist a re printed and displayed. The test engineer can
change switch positions to agree with the vehicle status, or he can give
the Go-command which causes the operating system to issue all discrep - ancy conditions in the state specified by the switch.
One of the most serious problems in implementing the system has
been documentation. Because of the severe schedules and the large num-
ber of users, it has been a problem keeping a master set of listings and
flow charts up to date. To accomplish this, we have implemented a method
of utilizing the same input for both the assembler and automatic flow char-
ter. This symbolic input, along with the binary assembled information,
is maintained in a compressed format on a disc. From this file of informa-
tion, a user may request a system tape, a listing and/or flow chart of any
program in the system.
A REAL TIME OPERATING SYSTEM FOR THE SATURN V LAUNCH COMPUTER COMPLEX: PALM-15
Checkout of the programs is accomplished on a breadboard facility
at NASA's Marshall Space Flight Center. This facility contains the three
computer complex, some of the actual vehicle equipment, and simulators
for some of the equipment,
The following illustrations were used as slides in a
presentation of this paper a t the Real Time Systems Seminar ,
Houston, Texas, November 1966.
MISSION REQUIREMENTS
I - TEST ENG I NEER - VEH I CLE COMMUN I CAT I ON
e SWITCH SERVICING
e VEHICLE STATUS D I SPLAYS
2 - MONITOR CAPABILITY
3 - AUTOMATED TEST PROGRAMS
TEST ENGINEER
CONDITIONERS
SATURN V
LAUNCH
SPACE- CRAFT
CONTROL CENTER COMPUTER
S-IVB STAGE
IU
MOBILE LAUNCHER COMPUTER '
6-11 STAGE
S-IC STAGE
=lJMMARY (3 OPERATING SYSTEM FUNCTIONS
MLCILCCC OPERATION
LCCCIMLC DCCl lCCC OPERATION OPERATION
h -
PER1 PHERAL EQU l PMENT DDAS DATA L l NK D l SCRETE LVDC
SERV l C l NG SERVICING SERVl C lNG SERVICING SERVICING
I
MOBILE LAUNCHER MLC COMPUTER
CONTROL (MLC) ROUTINES
RESPONSE ACTIV ITY
OPERATIONAL ACTIV ITY
PER l PHERAL EQU l PMENT SERVICING
ACTIV ITY REQUESTS
r FUNCTION EXECUTOR ROUT l NES
r DISCRETES a M A l NTENANCE TEST PROGRAMS
4
LAUNCH CONTROL CENTER' COMPUTER
ACE-SIC LCC CONTROL
l.-?Yl ROUTINES RESPONSE ACTIV ITY ----- 1 -
OPERATIONAL ACTIV ITY
ACTIV ITY REQUESTS
r DISCRETES r TEST PROGRAMS @ ATOLL PROCEDURES @ D l S PLAY MONITOR
D I S P L A Y DATA L I N K SERVICING
DDAS SERVICING
C
DATA L I N K SERVICING
D l SCRETE SERV l C l NG
I INDICATOR LAMPS
I - - _ . - - - - - - - - -
I ESE SWITCHES
ON w- ISSUE MDO ON/OFF AND INHIBIT / I COMPLEX <-,AUTO ISSUE MDO OFF IF ON AND RELEASE INHIBIT \
-ISSUE MDO OFF/ON AND INHlBl OFF
I DISRETE EXECUTIVE
ON SWITCH AND CONTROL w-ISSUE MDO ON/OFF AND INHIBIT ISSUE LDO COMMDS
I /
SIMPLE AUTO RELEASE INHIBIT AUTOMATED \ AUTOMATED
PROCEDURE -ISSUE MDO OFF/ON AND INHIBIT
PROCEDURE OFF INTERFACE
MDl 8 MDO STATUS l NTERFACE
0 N ISSUE SWITCH SELECTOR FUNCTION X 9- INHIBIT SWITCH SELECTOR FUNCTION
SWITCH 1 SELECTOR +AUTO REMOVE INHIBIT FUNCTION ,
4 ISSUE SWITCH SELECTOR FUNCTION Y FUNCTION OFF INHIBIT SWITCH SELECTOR FUNCTION EXECUTER
ON
I fl-, ISSUE SWITCH SELECTOR FUNCTION Z
SWITCH / SELECTOR +AUTO RE-LEASE INHIBIT IF ON FUNCTION \
I - INHIBIT SWITCH SELECTOR FUNCTION Z OFF
-- - - - - - - - -
DISCRETE EXECUTIVE DATA FLOW CHART